ssl module - how can I accept SSLv3 and TLSv1 protocols only?
Jean-Paul Calderone
exarkun at divmod.com
Wed Jan 7 08:21:21 EST 2009
On Tue, 6 Jan 2009 19:01:48 -0800 (PST), Giampaolo Rodola' <gnewsg at gmail.com> wrote:
>Hi,
>I'm trying to add TLS/SSL support to pyftpdlib.
>Since various defects have been found in the SSLv2 protocol many FTPS
>servers (i.e. proftpd and vsftpd) decided to support SSLv3 and TLSv1
>only and sistematically reject any client attempting to use SSLv2.
>Is there a way to tell ssl.wrap_socket() to accept SSLv3 and TLSv1
>connections only?
>If that's not possible can I determine the encryption protocol being
>used *after* that the SSL/TLS handshake took place?
>
>
>I tried to use wrap_socket as follows:
>
>self.socket = ssl.wrap_socket(self.socket, ,
> certfile=CERTFILE,
> server_side=True,
>
>ssl_version=ssl.PROTOCOL_SSLv3 | ssl.PROTOCOL_TLSv1)
>
>...it works if on the client side I use TLSv1 but not if I use SSLv3
>("SSLError: [Errno 1] _ssl.c:480: error:14094410:SSL
>routines:SSL3_READ_BYTES:sslv 3 alert handshake failure" exception is
>raised)
>
At the OpenSSL level, you do this by specifying SSLv23_METHOD and then
setting the SSL_OP_NO_SSLv2 flag. With pyOpenSSL, you do this by
creating a context with SSLv23_METHOD and then setting SSL_OP_NO_SSLv2 on
it, like so:
from OpenSSL.SSL import Context, SSLv23_METHOD, OP_NO_SSLv2
context = Context(SSLv23_METHOD)
context.set_options(OP_NO_SSLv2)
It seems the ssl module does expose SSLv23_METHOD as PROTOCOL_SSLv23,
but I don't see SSL_OP_NO_SSLv2 anywhere, nor any way to specify any
extra flags.
Oring PROTOCOL_SSLv3 together with PROTOCOL_TLSv1 is almost certainly
not the right approach, anyway (as you saw with your tests).
Jean-Paul
More information about the Python-list
mailing list